SIP and VoIP

What is SIP?
What’s a Control
Channel?
History of Signaling
Channels
Signaling and VoIP
Complexity
Basic SIP
Architecture
Simple SIP Calling
Alice Calls Bob
Firewalls and NATs
SIP and VoIP
SIP URIs
Multiple Proxies

Attacking SIP

Defenses

Complex Scenarios

1 / 44
 What is SIP?
SIP and VoIP
What is SIP? ■ Session Initiation Protocol
What’s a Control
Channel?
History of Signaling
■ Control channel for Voice over IP
Channels
Signaling and VoIP
■ (Other control channel protcols exist, notably
Complexity
Basic SIP
H.323 and Skype’s, but we’ll focus on SIP)
Architecture
Simple SIP Calling
Alice Calls Bob
Firewalls and NATs
SIP URIs
Multiple Proxies

Attacking SIP

Defenses

Complex Scenarios

2 / 44
 What’s a Control Channel?
SIP and VoIP
What is SIP? ■ A control channel — known in the telephone
What’s a Control
Channel?
History of Signaling
world as a signaling channel — does call setup
Channels
Signaling and VoIP
■ It locates the other end point, determines if it’s
Complexity
Basic SIP
available, asks the endpoint to alert the called
Architecture
Simple SIP Calling
party, passes back status to the caller, etc.
Alice Calls Bob
Firewalls and NATs
■ Even in a pure IP world, we need a signaling
SIP URIs
Multiple Proxies
channel; when connecting to the PSTN (Public
Attacking SIP Switched Telephone Network), it’s essential
Defenses

Complex Scenarios

3 / 44
 History of Signaling Channels
SIP and VoIP
What is SIP? ■ Telephone signaling was once done “in-band”
What’s a Control
Channel?
History of Signaling
— that is, the pulses or tones were sent over
Channels
Signaling and VoIP
the same circuit as would later be used to
Complexity
Basic SIP
carry the voice traffic for that call
Architecture
Simple SIP Calling
■ “Blue boxes” — telephone fraud devices —
Alice Calls Bob
Firewalls and NATs
worked by simulating some of the control
SIP URIs
Multiple Proxies
tones used to set up free calls
Attacking SIP ■ The solution was to move signaling to a
Defenses

Complex Scenarios
separate, “out-of-band” data network, known
today as CCIS (Common Channel Interoffice
Signaling)
■ Out-of-band signaling is more efficient; it
allows easy creation of fancier services
4 / 44
 Signaling and VoIP
SIP and VoIP
What is SIP? ■ Why can’t we just call a domain name or IP
What’s a Control
Channel?
History of Signaling
address?
Channels
Signaling and VoIP
■ Many endpoints don’t have stable,
Complexity
Basic SIP
easily-memorized domain names
Architecture
Simple SIP Calling
■ IP addresses change frequently, especially for
Alice Calls Bob
Firewalls and NATs
dial-up and hotspot users
SIP URIs
Multiple Proxies
■ There are other complexities
Attacking SIP

Defenses

Complex Scenarios

5 / 44
 Complexity
SIP and VoIP
What is SIP? ■ PSTN interconnection: very many endpoints
What’s a Control
Channel?
History of Signaling
have just a few IP addresses
Channels
Signaling and VoIP
■ Besides, someone has to pay for the PSTN
Complexity
Basic SIP
interconnection
Architecture
Simple SIP Calling
■ Firewalls
Alice Calls Bob
Firewalls and NATs
■ Network address translators (NATs)
SIP URIs
Multiple Proxies
■ Mapping between “phone number” and IP
Attacking SIP address
Defenses

Complex Scenarios
■ Business arrangements between telephone
companies
■ Unreachable hosts
■ Fancy phone features

6 / 44
 Basic SIP Architecture
SIP and VoIP
What is SIP? ■ SIP endpoints speak IP
What’s a Control
Channel?
History of Signaling
■ Ideally, the actual conversation would be
Channels
Signaling and VoIP
end-to-end, from one SIP phone to the other
Complexity
Basic SIP
■ Each node can use a SIP proxy for call setup
Architecture
Simple SIP Calling
Alice Calls Bob
Firewalls and NATs
SIP URIs
Multiple Proxies

Attacking SIP

Defenses

Complex Scenarios

7 / 44
 Simple SIP Calling
SIP and VoIP
VoIP
What is SIP? VoIP
Provider 1
What’s a Control Provider 2
Channel?
History of Signaling
Channels
Signaling and VoIP
Complexity
Basic SIP
Architecture
Simple SIP Calling
Alice Calls Bob
Firewalls and NATs
SIP URIs
Multiple Proxies

Attacking SIP

Defenses
VoIP
Complex Scenarios Provider 3

R2

R1

Alice Bob

8 / 44
 Alice Calls Bob
SIP and VoIP
What is SIP? ■ Alice uses VoIP Provider 1 (VP1) as her proxy;
What’s a Control
Channel?
History of Signaling
Bob uses VoIP Provider 2 (VP2) as his
Channels
Signaling and VoIP
■ To call Bob, Alice sends a SIP URI to VP1 via
Complexity
Basic SIP
TCP
Architecture
Simple SIP Calling ■ VP1 determines that the URI points to VP2,
Alice Calls Bob
Firewalls and NATs so the calls setup request is relayed there via
SIP URIs
Multiple Proxies TCP
Attacking SIP ■ VP2 tells Bob about the call via TCP; if he
Defenses

Complex Scenarios
wants to, he can accept it
■ Notification is sent back to Alice via VP1
■ Alice establishes a direct UDP data connection
to Bob for the voice traffic

9 / 44
 Firewalls and NATs
SIP and VoIP
What is SIP? ■ If Alice or Bob are behind firewalls or NATs,
What’s a Control
Channel?
History of Signaling
they may not be able to set up end-to-end
Channels
Signaling and VoIP
data connections
Complexity
Basic SIP
■ In that case, the data traffic for one or both
Architecture
Simple SIP Calling
parties will also flow through the proxy
Alice Calls Bob
Firewalls and NATs
SIP URIs
Multiple Proxies

Attacking SIP

Defenses

Complex Scenarios

10 / 44
 SIP URIs
SIP and VoIP
What is SIP? ■ How is a SIP URI converted to a SIP proxy
What’s a Control
Channel?
History of Signaling
address?
Channels
Signaling and VoIP
■ What about ordinary telephone numbers?
Complexity
Basic SIP
■ tel: URIs are used for ordinary phone
Architecture
Simple SIP Calling
numbers
Alice Calls Bob
Firewalls and NATs
■ All SIP URIs are converted by means of DNS
SIP URIs
Multiple Proxies
magic: NAPTR records
Attacking SIP ■ (For this class, the details aren’t important —
Defenses

Complex Scenarios
the essential point is that by means of
repeated, complex DNS lookups, any SIP URI
is converted to an IP address)

11 / 44
 Multiple Proxies
SIP and VoIP
What is SIP? ■ Sometimes, VP1 will talk to VP3 which will
What’s a Control
Channel?
History of Signaling
route the call to VP2
Channels
Signaling and VoIP
■ VP1 and VP2 don’t know (or trust) each
Complexity
Basic SIP
other; they only know VP3 (and VP4 and VP5
Architecture
Simple SIP Calling
and . . . )
Alice Calls Bob
Firewalls and NATs
■ How can they establish a trust relationship?
SIP URIs
Multiple Proxies
What if money is involved? Can VP2 believe
Attacking SIP that VP1 will pay?
Defenses

Complex Scenarios

12 / 44
SIP and VoIP

Attacking SIP
The Usual Questions
Information at Risk
Voice Content
Caller/Called Party
Information
Billing Information
Eavesdropping on a
Link
Eavesdropping on a
Call
Registration
Attacking SIP
Hijacking
Tearing Down
Sessions
Abusing the DNS
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

13 / 44
 The Usual Questions
SIP and VoIP

Attacking SIP
■ What are we trying to protect?
The Usual Questions
Information at Risk
■ Against whom?
Voice Content
Caller/Called Party
Information
Billing Information
Eavesdropping on a
Link
Eavesdropping on a
Call
Registration
Hijacking
Tearing Down
Sessions
Abusing the DNS
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

14 / 44
 Information at Risk
SIP and VoIP

Attacking SIP
■ Voice content itself
The Usual Questions
Information at Risk
■ Caller and called party for each connection
Voice Content
Caller/Called Party
■ Billing information
Information
Billing Information
Eavesdropping on a
Link
Eavesdropping on a
Call
Registration
Hijacking
Tearing Down
Sessions
Abusing the DNS
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

15 / 44
 Voice Content
SIP and VoIP

Attacking SIP
■ Confidentiality is the main concern
The Usual Questions
Information at Risk
■ Is VoIP easier to wiretap than traditional
Voice Content
Caller/Called Party
phone service?
Information
Billing Information
■ Only the endpoints should see that
Eavesdropping on a
Link information; can be encrypted through proxies
Eavesdropping on a
Call
Registration
■ Relatively hard to spoof a voice in real-time, so
Hijacking
Tearing Down
authenticity is not a major concern
Sessions
Abusing the DNS
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

16 / 44
 Caller/Called Party Information
SIP and VoIP

Attacking SIP
■ Of great interest to many parties (look at the
The Usual Questions
Information at Risk
HP case — that’s the data HP was after)
Voice Content
Caller/Called Party
■ Useful even after the call (you can’t intercept a
Information
Billing Information
call after it’s over; you can look at who talked)
Eavesdropping on a
Link ■ Must be kept confidential — but proxies need
Eavesdropping on a
Call
Registration
to see it, to route the call
Hijacking
Tearing Down ■ Must be authentic, or the call could be
Sessions
Abusing the DNS misrouted maliciously
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

17 / 44
 Billing Information
SIP and VoIP

Attacking SIP
■ Derived in part from caller/called party
The Usual Questions
Information at Risk
information
Voice Content
Caller/Called Party
■ May have other information from call routing
Information
Billing Information
process
Eavesdropping on a
Link ■ As before, must be confidential — but there’s
Eavesdropping on a
Call
Registration
no need for other parties to see any of it
Hijacking
Tearing Down ■ Integrity failures can lead to billing errors, in
Sessions
Abusing the DNS either direction
Caller/Called Party
Information ■ (Often a major privacy concern after the fact
Hacking the Proxies
IP Addresses — again, consider the HP case.)
Billing Systems

Defenses

Complex Scenarios

18 / 44
 Eavesdropping on a Link
SIP and VoIP

Attacking SIP
■ How can someone eavesdrop on a SIP call?
The Usual Questions
Information at Risk
■ Many ways, including things like listening at a
Voice Content
Caller/Called Party
WiFi hotspot
Information
Billing Information
■ We’ll discuss other ways later in the semester
Eavesdropping on a
Link ■ For now, let’s just assume it’s possible
Eavesdropping on a
Call
Registration
Hijacking
Tearing Down
Sessions
Abusing the DNS
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

19 / 44
 Eavesdropping on a Call
SIP and VoIP

Attacking SIP
■ Simplest approach: listen on some link
The Usual Questions
Information at Risk
■ Which link is best for targeting a given person?
Voice Content
Caller/Called Party
■ Easiest: their access link
Information
Billing Information
■ What if they’re mobile? Hard — they could be
Eavesdropping on a
Link coming from anywhere
Eavesdropping on a
Call
Registration
■ Do you have the physical ability to listen on
Hijacking
Tearing Down
the VoIP provider’s links? What if the VoIP
Sessions
Abusing the DNS provider is in a distant, unfriendly country?
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

20 / 44
 Registration Hijacking
SIP and VoIP

Attacking SIP
■ An attacker can try to register with VP2 as
The Usual Questions
Information at Risk
Bob
Voice Content
Caller/Called Party
■ If the attacker succeeds, all calls destined for
Information
Billing Information
Bob with be routed to the attacker
Eavesdropping on a
Link
Eavesdropping on a
Call
Registration
Hijacking
Tearing Down
Sessions
Abusing the DNS
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

21 / 44
 Tearing Down Sessions
SIP and VoIP

Attacking SIP
■ Another false registration attack: tear down
The Usual Questions
Information at Risk
calls
Voice Content
Caller/Called Party
■ This is a violation of availability
Information
Billing Information
Eavesdropping on a
Link
Eavesdropping on a
Call
Registration
Hijacking
Tearing Down
Sessions
Abusing the DNS
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

22 / 44
 Abusing the DNS
SIP and VoIP

Attacking SIP
■ Call routing is partially controlled by the DNS
The Usual Questions
Information at Risk
■ Is it possible to corrupt the DNS answers?
Voice Content
Caller/Called Party
■ Under certain circumstances, it’s not that hard
Information
Billing Information
to do (more details later in the semester)
Eavesdropping on a
Link ■ By creating fake DNS entries, it’s possible to
Eavesdropping on a
Call
Registration
reroute the call to go via an intercept station
Hijacking
Tearing Down
Sessions
Abusing the DNS
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

23 / 44
 Caller/Called Party Information
SIP and VoIP

Attacking SIP
■ Again, link eavesdropping and DNS attacks are
The Usual Questions
Information at Risk
straightforward
Voice Content
Caller/Called Party
■ The task is easier here; proxies (usually) don’t
Information
Billing Information
move around
Eavesdropping on a
Link ■ VoIP providers are high-value targets, since
Eavesdropping on a
Call
Registration
they process many calls
Hijacking
Tearing Down
Sessions
Abusing the DNS
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

24 / 44
 Hacking the Proxies
SIP and VoIP

Attacking SIP
■ Is it possible to hack the VoIP proxy servers?
The Usual Questions
Information at Risk
■ Sure — why not?
Voice Content
Caller/Called Party
■ Conventional phone switches can be (and
Information
Billing Information
somes are) hacked, but there’s a big difference:
Eavesdropping on a
Link the attacker can speak a much more complex
Eavesdropping on a
Call
Registration
protocol to a SIP switch than to a PSTN
Hijacking
Tearing Down
switch, which means they’re more vulnerable
Sessions
Abusing the DNS ■ It’s hard to do too much damage with just a
Caller/Called Party
Information few touch-tones!
Hacking the Proxies
IP Addresses ■ Aside: fancier services are easier to hack, on
Billing Systems

Defenses
both kinds of telephone systems
Complex Scenarios

25 / 44
 IP Addresses
SIP and VoIP

Attacking SIP
■ It’s hard to hide IP addresses
The Usual Questions
Information at Risk
■ The legitimate recipient sees the sender’s
Voice Content
Caller/Called Party
source IP address; this leaks location data
Information
Billing Information
■ Routing the voice traffic via a proxy can thus
Eavesdropping on a
Link be a privacy feature
Eavesdropping on a
Call
Registration
Hijacking
Tearing Down
Sessions
Abusing the DNS
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

26 / 44
 Billing Systems
SIP and VoIP

Attacking SIP
■ Similar in nature to old-style ones
The Usual Questions
Information at Risk
■ SIP billing systems are more likely to be
Voice Content
Caller/Called Party
Internet-connected
Information
Billing Information
■ Must use strong defenses and firewalls to
Eavesdropping on a
Link protect them
Eavesdropping on a
Call
Registration
Hijacking
Tearing Down
Sessions
Abusing the DNS
Caller/Called Party
Information
Hacking the Proxies
IP Addresses
Billing Systems

Defenses

Complex Scenarios

27 / 44
SIP and VoIP

Attacking SIP

Defenses
Protecting SIP
Alice to VP1
Using IPsec
Proxy to Proxy
Traffic
End-to-End
Signaling Traffic
Key Management
for the Voice Call
Defenses
Complex Scenarios

28 / 44
 Protecting SIP
SIP and VoIP

Attacking SIP
■ As usual, we’ll use crypto to guard against
Defenses eavesdropping
Protecting SIP
Alice to VP1 ■ The details, though, are tricky
Using IPsec
Proxy to Proxy
Traffic
End-to-End
Signaling Traffic
Key Management
for the Voice Call

Complex Scenarios

29 / 44
 Alice to VP1
SIP and VoIP

Attacking SIP
■ Alice has a trust relationship with her proxy
Defenses ■ Authentication is relatively easy
Protecting SIP
Alice to VP1 ■ Usually, TLS is used to protect the TCP
Using IPsec
Proxy to Proxy session to the proxy
Traffic
End-to-End
Signaling Traffic
■ Alice must verify VP1’s certificate
Key Management
for the Voice Call
■ Alice can use passwords or client-side
Complex Scenarios certificates to authenticate herself

30 / 44
 Using IPsec
SIP and VoIP

Attacking SIP
■ IPsec is normally difficult to use to protect
Defenses specific services
Protecting SIP
Alice to VP1 ■ However, if there is an organizational SIP
Using IPsec
Proxy to Proxy gateway, it might be possible to protect all
Traffic
End-to-End
Signaling Traffic
traffic from the organization to the gateway
Key Management
for the Voice Call

Complex Scenarios

31 / 44
 Proxy to Proxy Traffic
SIP and VoIP

Attacking SIP
■ VP1 may not have a trust relationship with
Defenses VP2
Protecting SIP
Alice to VP1 ■ How can VP1 get VP2’s certificate?
Using IPsec
Proxy to Proxy ■ More precisely, how can VP1 validate it, if they
Traffic
End-to-End
Signaling Traffic
don’t share a trust anchor?
Key Management
for the Voice Call
■ This applies regardless of what security
Complex Scenarios protocol is used (though TLS is the norm)

32 / 44
 End-to-End Signaling Traffic
SIP and VoIP

Attacking SIP
■ Some signaling traffic must be secure
Defenses end-to-end
Protecting SIP
Alice to VP1 ■ Example: Bob needs to know, authoritatively,
Using IPsec
Proxy to Proxy that it’s Alice who has called him
Traffic
End-to-End
Signaling Traffic
■ However, the intermediate nodes need to see
Key Management
for the Voice Call
this
Complex Scenarios ■ Solution: digitally sign the data (using
S/MIME), but don’t encrypt it

33 / 44
 Key Management for the Voice Call
SIP and VoIP

Attacking SIP
■ How do Alice and Bob get a shared key for
Defenses voice traffic encryption?
Protecting SIP
Alice to VP1 ■ Alice uses S/MIME to send Bob an encrypted
Using IPsec
Proxy to Proxy traffic key
Traffic
End-to-End
Signaling Traffic
■ But — how does Alice get Bob’s certificate?
Key Management
for the Voice Call
■ There is no general PKI for SIP users
Complex Scenarios ■ True end-to-end confidentiality can only
happen by prearrangement
■ (This statement is more generally true. . . )

34 / 44
SIP and VoIP

Attacking SIP

Defenses

Complex Scenarios
Complex Features
Scenario: A
Secretary
The First Attempt
Oops!
Solution
CallerID
Complex Scenarios
Phone Network
Design
CallerID and VoIP
The State of
Practice

35 / 44
 Complex Features
SIP and VoIP

Attacking SIP
■ As always, complexity causes problems
Defenses ■ The specific issue here is complex trust
Complex Scenarios
Complex Features
patterns
Scenario: A
Secretary
■ Let’s look at some extra features and see how
The First Attempt
Oops!
they cause trouble
Solution
CallerID
Phone Network
Design
CallerID and VoIP
The State of
Practice

36 / 44
 Scenario: A Secretary
SIP and VoIP

Attacking SIP
■ Alice tries to call Carol; she reaches Bob,
Defenses Carol’s secretary
Complex Scenarios
Complex Features
■ Bob decides the call is worthy of Carol’s
Scenario: A
Secretary
attention, and wishes to transfer the call to
The First Attempt
Oops!
Carol
Solution
CallerID
■ Bob’s phone sends Alice’s phone a message
Phone Network
Design saying “Call Carol, you’re authorized”
CallerID and VoIP
The State of
Practice
■ Carol’s phone has to verify that Bob
authorized it

37 / 44
 The First Attempt
SIP and VoIP

Attacking SIP
■ Bob prepares an authenticated identity body
Defenses (AIB) with his name and the time
Complex Scenarios
Complex Features
■ He sends that to Alice along with Carol’s SIP
Scenario: A
Secretary
URI
The First Attempt
Oops!
■ Alice presents the AIB to Carol
Solution
CallerID
■ What’s wrong?
Phone Network
Design
CallerID and VoIP
The State of
Practice

38 / 44
 Oops!
SIP and VoIP

Attacking SIP
■ Nothing linked the AIB to this referral
Defenses ■ Alice can give the AIB to someone else
Complex Scenarios
Complex Features
■ At least there’s a timestamp to protect against
Scenario: A
Secretary
replays
The First Attempt
Oops!
Solution
CallerID
Phone Network
Design
CallerID and VoIP
The State of
Practice

39 / 44
 Solution
SIP and VoIP

Attacking SIP
■ The AIB sent by Bob needs to include Alice’s
Defenses identity
Complex Scenarios
Complex Features
■ Carol’s phone needs to check the certificate
Scenario: A
Secretary
used in Alice’s call setup message, to verify
The First Attempt
Oops!
that it’s really from Alice
Solution
CallerID
■ In particular, Alice’s identity in the AIB must
Phone Network
Design match the identity in the certificate
CallerID and VoIP
The State of
Practice

40 / 44
 CallerID
SIP and VoIP

Attacking SIP
■ Suppose the SIP call is being relayed to the
Defenses PSTN
Complex Scenarios
Complex Features
■ Where does the CallerID information come
Scenario: A
Secretary
from?
The First Attempt
Oops!
■ Can it be spoofed?
Solution
CallerID
Phone Network
Design
CallerID and VoIP
The State of
Practice

41 / 44
 Phone Network Design
SIP and VoIP

Attacking SIP
■ The phone network was based on trust — only
Defenses “real” telephone companies had phone
Complex Scenarios
Complex Features
switches
Scenario: A
Secretary
■ No authentication was done on information
The First Attempt
Oops!
from other switches, including CallerID
Solution
CallerID
■ Today, anyone can run a phone switch. . .
Phone Network
Design
CallerID and VoIP
The State of
Practice

42 / 44
 CallerID and VoIP
SIP and VoIP

Attacking SIP
■ Run Asterisk, an open source PBX program,
Defenses on some machine
Complex Scenarios
Complex Features
■ Get a leased line to a VoIP-to-PSTN gateway
Scenario: A
Secretary
company
The First Attempt
Oops!
■ Configure Asterisk to send whatever
Solution
CallerID
information you want. . .
Phone Network
Design ■ This abuse is happening now; see
CallerID and VoIP
The State of
Practice
http://www.boston.com/news/globe/
magazine/articles/2006/09/24/
phony_identification/

43 / 44
 The State of Practice
SIP and VoIP

Attacking SIP
■ Most vendors don’t implement the fancy
Defenses crypto
Complex Scenarios
Complex Features
■ VoIP is thus not as secure as it could be (but
Scenario: A
Secretary
Skype does do a lot of crypto)
The First Attempt
Oops!
■ Beyond that, SIP phones tend to boot
Solution
CallerID
themselves over the network — is that
Phone Network
Design connection secure?
CallerID and VoIP
The State of
Practice
■ NIST recommends great care in using VoIP —
see http://csrc.nist.gov/publications/
nistpubs/800-58/SP800-58-final.pdf

44 / 44